by Robert Powell, Director, Global Compliance, IPC
Second in a five-part series to help manage adherence to MiFID II regulations on records retention. This MiFID II Checklist will look at extending the retention period, what to do when your system fails and how to achieve Complete, Quality and Accurate records.
Last time we looked at management oversight, knowing your estate and communications “intended to lead to a transaction.” This time – with less than 275 days to go – we are looking at extending the retention period; what to do when your system fails; and how to achieve “Complete, Quality and Accurate” records.
Unification of the records retention period is one of the new rules’ cornerstones under MiFID II. Firms will be required to retain communications data for five years, unless the local regulator requests retention for seven years. Presumably, if they do ask, you will know why they are asking, however, they are under no obligation to tell you. Most organizations already retain email and the like for at least five years so there will be no change here. However, it’s worth checking that you have captured all types of communications you use for the right period. Voice calls, fixed line and mobile, will be a different matter.
Five Key Things to Check Now
- You need to check how to extend your fixed-line recording retention period. Don’t forget to look at how that data is stored and if it is tamperproof or on WORM (write once, read many) storage.
- For mobile, do you need to record more of your users? Additionally, where are these calls stored? If the calls and other data comes to your on-premise infrastructure, then check the retention period and make sure calls by new users are set to be retained for five years.
- Are you under litigation or regulator hold for deleting records? What is covered and can you review these holds prior to MiFID II coming into play?
- If you have different archives for different media types, is now the time to look at a holistic archive that contains all of your communications records? And, will it allow you to manage retention periods, users, litigation holds along with search and recovery quickly and easily in one place?
- If you are a U.S. firm doing business with European-based firms, then you may need to look at extending the voice recording you do for CFTC purposes to include others that do these trades, even if they are not based in Europe.
Next, systems fail. It is a fact that is recognized by technologists, regulators and governments. When systems fail you find out more about your systems, procedures, technologists and partners than you do in the normal course of business. MiFID II requires you to know when your systems have failed and to investigate the failure. It’s not explicit, but your investigation of any failure should offer solutions to the failure and track the implementation of that solution.
In addition, you should try to formulate a list stating what was missed while the system was down. This way when regulators call, you have something to show for how you prevented a recurrence of the problem; along with a good idea of the calls or messages that were not captured while the problem existed. You should keep your written investigation for five years – the same as if you had captured the records originally.
I’m often asked if you should self-report such instances of missing records to the regulator. There is no straightforward answer. If you are in ongoing discussions with the regulator and have a regular meeting with them, then yes, it would probably make sense to inform them. Otherwise, it could make more sense to leave this until you are asked for records or have a more general regulatory audit. This kind of news is always best delivered early in any process, along with proof the problem was fixed and has not recurred.
Clarifying What Complete, Quality and Accurate Means
“Complete, Quality and Accurate” records are a requirement under MiFID II that some have said is vague. I don’t agree. I think it gives a clear understanding of what the regulator expects. It’s very similar to a requirement U.S. regulators have had in place since the Securities Exchange Act of 1934.
Complete – means you should know all types of communications you use and who is using them as well as having fit-for-purpose capture and retention mechanisms and processes in place.
Quality – means you should be able to reproduce these records in as near original quality as possible. It really applies to the ‘original form’ for electronic communications and for the actual voice quality for voice or video calls.
Accurate – means you should be confident of not only the records’ content, but also the all-important meta data that shows when messages were sent or calls made.
Next time – in Part 3 of our MiFID II Countdown Checklist series – we’ll cover employee training, preventing non-recordable use and the ability to demonstrate that your policies, procedures and management oversight are working and effective. To read Part 1 of the series, click here.